• Russ (unregistered)

    Achtung - I Bin Frist Berliner

  • Anketam (cs)

    Does Java even allow this to compile (I don't normally use Java)? I thought that 'Microsoft Internet Explorer' would throw an exception since ' is reserved for chars not strings.

  • ammoQ (cs) in reply to Anketam
    Anketam:
    Does Java even allow this to compile (I don't normally use Java)? I thought that 'Microsoft Internet Explorer' would throw an exception since '' is reserved for chars not strings.

    In JavaScript (which is generally interpreted, not compiled, btw.) both " and ' can be used to delimit strings. In JavaScript, chars are not seperate types, but simply strings with length 1, so there is no reason to distinguish between strings and chars.

  • mahe (unregistered)

    It's JavaScript of course, so it doesn't compile anyway.

  • Remy Porter (cs)

    Most JavaScript runtimes do compile the code, these days. JIT compilation, but still compiled. It's interpreted in the same way that MSIL is interpreted.

  • Philip Newton (unregistered)

    The best bit is the condition which starts:

    if (event.keyCode == 18 && event.keyCode == 8

    Or perhaps they’re already ready for quantum computing, where the key code can be 8 and 18 simultaneously?

  • Gyxi (unregistered) in reply to Anketam
    Anketam:
    Does Java even allow this to compile (I don't normally use Java)? I thought that 'Microsoft Internet Explorer' would throw an exception since ' is reserved for chars not strings.

    This comment is TRWTF

  • Nick (unregistered) in reply to Philip Newton
    Philip Newton:
    The best bit is the condition which starts:
    if (event.keyCode == 18 && event.keyCode == 8

    Or perhaps they’re already ready for quantum computing, where the key code can be 8 and 18 simultaneously?

    LMAO. Schrödinger's "event.keyCode"

  • Jasper (unregistered)

    So, to fix it, Wladimir installed Firefox or Chrome for his father?

  • Smug Unix User (unregistered)

    I wonder what they would have coded for Lynx.

  • Harrison Killer (unregistered)

    [quote]The jury's still out as to whether or not this contributes to the overall quality of the site, but rest assured Netscape fans, you are not forgotten.[/b]

    Let's work on our punctuation, shall we?

  • Martin (unregistered)

    Wladimir Palant is btw notable for being the developer of the Adblock Plus extension: http://adblockplus.org/en/

  • daef (unregistered)

    bigger article 'bout the same bank (GERMAN) http://www.infogurke.de/2010/07/erfahrungen-mit-bank-of-scotland/

  • The MAZZTer (cs)

    Other WTFs to those not familiar with JS:

    event/e object is just data about the event. Setting properties on it has no effect outside of the event handler AFAIK, other event handlers will receive a fresh, new event object without the changed data. Only exception is event object has functions on it which do affect how the event is processed after this handler.

    Other than that... this is actually somewhat standard JS afaik for blocking certain keys from triggering standard browser actions. They could certainly write it better to work on all browsers (sniff based on event object presence and properties, not on app name).

    But they probably are being a little overzealous on the key blocking. 8 is the key code for the TAB key, which switches keyboard input between form fields, and you probably shouldn't block it for keyboard navigation/accessibility.

  • Anketam (cs) in reply to Gyxi
    Gyxi:
    Anketam:
    Does Java even allow this to compile (I don't normally use Java)? I thought that 'Microsoft Internet Explorer' would throw an exception since ' is reserved for chars not strings.

    This comment is TRWTF

    Your mom is TRWTF.

    • When all else fails, resort to name calling.
  • Brian E (unregistered)

    TRWTF is that event is undefined in this function. They named the parameter e.

    function disablekeyboardnavigation(e)

    e is only used in "else if (navigator.appName == 'Netscape')".

    Thank the coder for cut/paste.

  • Pebs (unregistered) in reply to Jasper
    So, to fix it, Wladimir installed Firefox or Chrome for his father?
    Both Firefox and Chrome have "Netscape" in the navigator.appName variable. IFAIK, it's one of those things that's just there for backwards compatibility reasons to support legacy JavaScript code.
  • Ryan E (unregistered)

    I really like the function above that one in the js file:

    function returnFalse () {return false;}

    Why just use false, when you can returnFalse()?

  • Meh (unregistered) in reply to The MAZZTer
    The MAZZTer:
    8 is the key code for the TAB key, which switches keyboard input between form fields, and you probably shouldn't block it for keyboard navigation/accessibility.

    Unless IE is more messed up than I think it is, 8 is backspace. 9 is tab.

  • Dave (unregistered) in reply to Brian E
    Brian E:
    TRWTF is that event is undefined in this function. They named the parameter e.

    function disablekeyboardnavigation(e)

    e is only used in "else if (navigator.appName == 'Netscape')".

    Thank the coder for cut/paste.

    That is IE's WTF, only Netscape passes the event object in the parameter, in IE you have to use the global window.event.

  • GoodtimesSnuggler (unregistered) in reply to Brian E
    Brian E:
    TRWTF is that event is undefined in this function. They named the parameter e.

    function disablekeyboardnavigation(e)

    e is only used in "else if (navigator.appName == 'Netscape')".

    Thank the coder for cut/paste.

    Event isn't undefined. All browsers (minus IE) use the first argument as the event object. IE uses window.event, which is the last pushed event.

  • Dave (unregistered) in reply to The MAZZTer
    The MAZZTer:
    Other WTFs to those not familiar with JS:

    event/e object is just data about the event. Setting properties on it has no effect outside of the event handler AFAIK, other event handlers will receive a fresh, new event object without the changed data.

    In IE setting event.keycode=0 stops the event being passed to the control.

  • ¯\(°_o)/¯ I DUNNO LOL (unregistered) in reply to Ryan E
    Ryan E:
    I really like the function above that one in the js file:

    function returnFalse () {return false;}

    Why just use false, when you can returnFalse()?

    function returnFileNotFound () {return FileNotFound;}

    TRWTF is the Bank of Scotland using German text? Ach, laddie! This canna be troo!

  • My name is unimportant (unregistered)

    Judging by the comments and disagreement so far about how JavaScript behaves or doesn't behave in certain browsers, once again, it must be said - TRWTF is JavaScript. But I guess it still beats flash.

  • Gary (unregistered) in reply to Pebs
    Pebs:
    So, to fix it, Wladimir installed Firefox or Chrome for his father?
    Both Firefox and Chrome have "Netscape" in the navigator.appName variable. IFAIK, it's one of those things that's just there for backwards compatibility reasons to support legacy JavaScript code.

    Of course the code tests for equality not substring. Not that we were running short on WTFs today, but one must save up for potential lean times ahead.

    captcha: augue ... a fever that portends ill

  • El Pollo Diablo (unregistered) in reply to ¯\(°_o)/¯ I DUNNO LOL
    ¯\(°_o)/¯ I DUNNO LOL:
    Ryan E:
    I really like the function above that one in the js file:

    function returnFalse () {return false;}

    Why just use false, when you can returnFalse()?

    function returnFileNotFound () {return FileNotFound;}

    TRWTF is the Bank of Scotland using German text? Ach, laddie! This canna be troo!

    Apparantly they have some German speaking customers, considering the existence of www-dot-bankofscotland-dot-de (Bad akismet slap. Enterily relevant stuff, here).

  • @Deprecated (cs) in reply to Philip Newton
    Philip Newton:
    The best bit is the condition which starts:
    if (event.keyCode == 18 && event.keyCode == 8

    Or perhaps they’re already ready for quantum computing, where the key code can be 8 and 18 simultaneously?

    This bit is not bad, either:

      if ((event.altKey) && (event.srcElement.tagName == "INPUT")) {
      }
      if ((event.keyCode == 96) || (event.keyCode == 97) || (event.keyCode == 98)) {
      }
      if ...
    

    missing some else statements, perhaps?

  • iWantToKeepAnon (unregistered) in reply to Ryan E
    Ryan E:
    I really like the function above that one in the js file:
    function returnFalse () {
       /* that's it. */
       return false;
    }
    

    Why just use false, when you can returnFalse()?

    There, fixed it.

  • F (unregistered) in reply to El Pollo Diablo
    El Pollo Diablo:
    ¯\(°_o)/¯ I DUNNO LOL:
    Ryan E:
    I really like the function above that one in the js file:

    function returnFalse () {return false;}

    Why just use false, when you can returnFalse()?

    function returnFileNotFound () {return FileNotFound;}

    TRWTF is the Bank of Scotland using German text? Ach, laddie! This canna be troo!

    Apparantly they have some German speaking customers, considering the existence of www-dot-bankofscotland-dot-de (Bad akismet slap. Enterily relevant stuff, here).

    However, the ones who choose to use Netscape are expected to cope with an error message in English.

  • Gary (unregistered) in reply to Ryan E
    Ryan E:
    I really like the function above that one in the js file:

    function returnFalse () {return false;}

    Why just use false, when you can returnFalse()?

    There is some more work to be done here. I see quite a few return falses in the code. These should all be rewritten: return returnFalse();

    Of course there are also return trues, hence a new function

    function returnTrue() {return true;}
    

    with usage: return returnTrue();

    Of course, this is horrible practice, because it should be refactored to a single function:

    function returnTrueOrFalseOrSomethingElse(bool) {
      try{
        returnTrueOrFalse( (bool)?bool:false); 
       }
       catch(e) {
        return (bool)?bool:false;
       }
    

    and we can use it like this both as a return value or as an parameter-less event handler.

    return returnTrueOrFalse(true)
    
    document.onpaste=returnFalse;
    

    I suppose all that recursion makes the function robust enough that it can be used a general-purpose returner function, so all stupid usages like return returnValue; can be replaced with return returnTrueOrFalseOrSomethingElse(returnvalue);

    C programmers of course would just overload return.

  • Cbuttius (cs)

    from google translate:

    The selected action can not be executed. Please use the navigation at your online banking division

  • F (unregistered) in reply to My name is unimportant
    My name is unimportant:
    Judging by the comments and disagreement so far about how JavaScript behaves or doesn't behave in certain browsers, once again, it must be said - TRWTF is JavaScript. But I guess it still beats flash.

    That's a little unreasonable. Irrational differences in how browsers invoke Javascript functions are not the fault of Javascript, any more than rendering quirks are the fault of the graphics subsystem.

    And most of the Javascript WTFs result from letting idiots write code. Just like every other language ...

  • Cbuttius (cs) in reply to The MAZZTer
    The MAZZTer:
    Other WTFs to those not familiar with JS:

    event/e object is just data about the event. Setting properties on it has no effect outside of the event handler AFAIK, other event handlers will receive a fresh, new event object without the changed data. Only exception is event object has functions on it which do affect how the event is processed after this handler.

    Other than that... this is actually somewhat standard JS afaik for blocking certain keys from triggering standard browser actions. They could certainly write it better to work on all browsers (sniff based on event object presence and properties, not on app name).

    But they probably are being a little overzealous on the key blocking. 8 is the key code for the TAB key, which switches keyboard input between form fields, and you probably shouldn't block it for keyboard navigation/accessibility.

    Have Mozilla yet fixed the Alt-S for submit form rather than history yet?

  • iWantToKeepAnon (unregistered) in reply to My name is unimportant
    My name is unimportant:
    Judging by the comments and disagreement so far about how JavaScript behaves or doesn't behave in certain browsers, once again, it must be said - TRWTF is JavaScript. But I guess it still beats flash.

    Don't blame the language for the sins of the browser wars and piss poor browser/DOM integration. That's not the language's fault, it's Microsoft's fault. And Netscape's too.

    It'd be great if we could get browser vendors to agree on a DOM, event, and parameter passing standard; and to cut all the old spaghetti code and make some rational sense of it all. But that'd break the web and browsers would have to provide backwards compatibility modes and things would only get worse. Better to use a library that abstracts all that away and let's you focus on using JS in all its glory (well it does have some) to write your app.

  • ¯\(°_o)/¯ I DUNNO LOL (unregistered) in reply to F
    F:
    And most of the Javascript WTFs result from letting idiots write code. Just like every other language ...
    B...b...but he can't be an idiot! He knew how to make a square root function from bailing wire and a hockey ticket!
  • Robin (unregistered) in reply to Harrison Killer
    Harrison Killer:
    [ quote]The jury's still out as to whether or not this contributes to the overall quality of the site, but rest assured Netscape fans, you are not forgotten.[/b]

    Let's work on our punctuation, shall we?

    Let's work on our tag matching, shall we? (quote != b)

    Muphry's Law strikes again.

  • iToad (unregistered) in reply to Nick
    Nick:
    Philip Newton:
    The best bit is the condition which starts:
    if (event.keyCode == 18 && event.keyCode == 8

    Or perhaps they’re already ready for quantum computing, where the key code can be 8 and 18 simultaneously?

    LMAO. Schrödinger's "event.keyCode"

    It's a property in the Schrödinger.event .NET assembly.

  • TopTension (unregistered)

    This site really is horrible. If I hit the Enter key (in Opera) after entering name and password or the answer to the security question, I get the "400 - Bad request" error page. I have to grab the mouse and click the button instead.

    Not surprising after seeing the code...

  • Ralph (unregistered)
    document.onkeydown = disablekeyboardnavigation;
    No.

    I don't think so.

    I'm afraid you are very, very confused. It is my computer. Not yours. N-O-T Y-O-U-R C-O-M-P-U-T-E-R. Can you hear me yet?

    There's a reason humans invented language. Not everything can be expressed by pointing and grunting. And even if it could, language is so much more efficient for those who can be bothered to learn it. And despite what the "usability" crapspewers insist, most everyone can learn language.

    You can have my keyboard when you pry it from my cold dead fingers, fuckyouverymuch.

    This is why I do not give permission for random asshats to take control of my browser.

    You forgot to disable my shotgun while you were at it.

    Do the world a favor and die. Please just die already. Yes I really mean it.

  • jugis (unregistered) in reply to Anketam
    Anketam:
    Gyxi:
    Anketam:
    Does Java even allow this to compile (I don't normally use Java)? I thought that 'Microsoft Internet Explorer' would throw an exception since ' is reserved for chars not strings.

    This comment is TRWTF

    Your mom is TRWTF.

    • When all else fails, resort to name calling.

    Seriously, if after about 17 years of Internet a developer - regardless of when they started calling themselves one - hasn't touched HTML (and, with it, JavaScript; and then some), please step away from the fucking computer.

  • C-Derb (unregistered) in reply to @Deprecated
    @Deprecated:
    Philip Newton:
    The best bit is the condition which starts:
    if (event.keyCode == 18 && event.keyCode == 8

    Or perhaps they’re already ready for quantum computing, where the key code can be 8 and 18 simultaneously?

    This bit is not bad, either:

      if ((event.altKey) && (event.srcElement.tagName == "INPUT")) {
      }
      if ((event.keyCode == 96) || (event.keyCode == 97) || (event.keyCode == 98)) {
      }
      if ...
    

    missing some else statements, perhaps?

    Personally, I'm partial to this, because, you know, maybe event.keyCode will change when the if statement is evaluated...

    if (event.keyCode == 8)
    {
      if ((event.keyCode == 8) && (event.srcElement.tagName != "INPUT"))
      {
       ...
      }
    
  • Garrison Fiord (unregistered) in reply to Ralph
    Ralph:
    document.onkeydown = disablekeyboardnavigation;
    No.

    I don't think so.

    I'm afraid you are very, very confused. It is my computer. Not yours. N-O-T Y-O-U-R C-O-M-P-U-T-E-R. Can you hear me yet?

    There's a reason humans invented language. Not everything can be expressed by pointing and grunting. And even if it could, language is so much more efficient for those who can be bothered to learn it. And despite what the "usability" crapspewers insist, most everyone can learn language.

    You can have my keyboard when you pry it from my cold dead fingers, fuckyouverymuch.

    This is why I do not give permission for random asshats to take control of my browser.

    You forgot to disable my shotgun while you were at it.

    Do the world a favor and die. Please just die already. Yes I really mean it.

    There is precedent for not allowing you to have full control of your property when it is visiting the property of others, i.e. you may be stopped and/or removed from your vehicle if you are driving it through the 2nd floor of your local mall.

    You can take your over reactions and your handy-dandy keyboard shortcuts to some other bank.

  • lanmind (cs) in reply to Philip Newton
    Philip Newton:
    The best bit is the condition which starts:
    if (event.keyCode == 18 && event.keyCode == 8

    Or perhaps they’re already ready for quantum computing, where the key code can be 8 and 18 simultaneously?

    I don'y dirty my hands with javascript, but isn't this the sort of code you would need to write to capture shift-tab and the like?

    Of course, trwtf is disabling keyboard navigation.

  • TopTension (unregistered) in reply to jugis
    jugis:
    Seriously, if after about 17 years of Internet a developer - regardless of when they started calling themselves one - hasn't touched HTML (and, with it, JavaScript; and then some), please step away from the fucking computer.

    You may not be aware of it, but not all is Internet in IT. I've been writing programs for 30 years and still didn't have to touch HTML, believe it or not. Nothing wrong with the internet, but IT is more than websites.

  • Shinobu (unregistered) in reply to Ryan E
    Ryan E:
    BoS:
    function returnFalse () {return false;}
    Why just use false, when you can returnFalse()?
    Because they're using it in places where it's getting called later and at that point it must return false. This is perfectly normal, although the things they're doing with it are evil. Of course TRWTF is that browsers allow websites to mess keyboard navigation, selection and context menus up in the first place. As a browser developer you should always ask yourself how a feature will be used to abuse the user. And yes that may mean (must mean) that web applications won't be able to do everything a native application can - and there's nothing wrong with that.
  • DavidN (unregistered)

    Aaaaagh! That's... appalling, but it isn't even the worst thing about the Bank of Scotland's online system. A while ago, I had to reset my security information, a step which looked like a fairly innocuous "set up security question/answers" page - but I absolutely couldn't convince the form to submit...

    You had to select three security questions from pick lists (what is your mother's maiden name, what was the make and model of your first car, and so on), and then type in an entirely custom question and answer for the fourth one. It was the custom question field that seemed to be the problem - all the other fields appeared to be all right, and I only ever got an unhelpful "Please set: Your own choice of question" error message when I tried to submit the form. So I initially thought that some overengineered security check was marking my question as being too common, or not forming a sentence it could parse, or something of equal silliness.

    But then I tore into the Javascript of the page, and realized that their question field was subject to the same validation check as the rest of the fields - you can have no spaces or special characters in your question (such as, fairly importantly, a question mark), or it won't be accepted. Once I pared my question down to "whatisyourfavouritecolour", I could finally get through.

    I have to wonder if they didn't notice a sharp drop in the number of online accounts being created...

  • F (unregistered) in reply to lanmind
    lanmind:
    Philip Newton:
    The best bit is the condition which starts:
    if (event.keyCode == 18 && event.keyCode == 8

    Or perhaps they’re already ready for quantum computing, where the key code can be 8 and 18 simultaneously?

    I don'y dirty my hands with javascript, but isn't this the sort of code you would need to write to capture shift-tab and the like?

    Of course, trwtf is disabling keyboard navigation.

    In a word, no.

    The only purpose served by code such as this is to use up processor cycles making tests that can never be satisfied.

  • da Doctah (cs) in reply to Ryan E
    Ryan E:
    I really like the function above that one in the js file:

    function returnFalse () {return false;}

    Why just use false, when you can returnFalse()?

    Information hiding.

    In case the value of false ever changes, you only have to change it in one place.

  • Rick (cs) in reply to My name is unimportant
    My name is unimportant:
    Judging by the comments and disagreement so far about how JavaScript behaves or doesn't behave in certain browsers, once again, it must be said - TRWTF is JavaScript. But I guess it still beats flash.
    Anybody look at Dart, Google's JavaScript killer? JavaScript does need to die; a slow and painful death without any palliative care.
  • chubertdev (cs) in reply to da Doctah
    da Doctah:
    Ryan E:
    I really like the function above that one in the js file:

    function returnFalse () {return false;}

    Why just use false, when you can returnFalse()?

    Information hiding.

    In case the value of false ever changes, you only have to change it in one place.

    var willValueOfFalseEverChange = returnFalse();

Leave a comment on “Bank of Scotland's Keyboard Trap”

Log In or post as a guest

« Return to Article